Capture Traffic on Css 11506

Similar Messages

• CSS 11506 page requests not directed properly

  CSS 11506 sitting in front of mainframe and
  two Windows 2003 servers
  content rule3056gif
  add service web1
  add service web2
  vip address 10.10.200.252
  balance aca
  url "/IMAGE_DIRECTORY_NAME/*.gif"
  port 3056
  active
  A small number of page requests, that do not match the above pattern, are passing to the content servers web1 or web2 instead of the mainframe.
  Any ideas appreciated.

  when a connection comes in and matches the rule above, a flow is created to switch all traffic between client and server.
  If inside this same flow a new request comes in for a different content rule, the flow needs to be remapped to the new server.
  This works fine except when the flow stays idle.
  A flow that was idle can't be remapped.
  All new requests will be sent to the current/last server even if the request does not match the rule.
  The solution is to increase the idle timeout.
  You can do this with a 'flow-timeout-multiplier'.
  A large value will reduce a lot the chance to see the problem but it also means the amount of resources being used will increase as each flow will remain longer in memory.
  It's up to you to find the right balance.
  You can do a 'flow stat' from llama mode to see number of free flows and active flows.
  I would say you start with a flow-timeout-multiplier of 100 and reduce or increase it if necessary.
  Regards,
  Gilles.
  - please take a moment of your time to rate this answer.

• CSS 11506 / install Disclaimer page

  We have a CSS 11506.  Our public portal web servers are behind that CSS 11506.  How to configure the CSS so that when people click on some external websites URLs on the public portal,  there will be a disclaimer / exit page shows up first.  

  The CSS is only loadbalancing the http traffic to the public portal web servers and does not run an http stack itself. As such the CSS is incapapble of presnting any http content to the client . Any disclamer / exit pages would need to be programmed into the content of the page the public portal server presents to the client. There is not a way to accomplish this on the css.

• Trying to understand SSL sticky with CSS 11506 / ssl-l4-fallback behavior

  Dear experts
  I have a CSS 11506 (v7.50) which is used to load balance several SSL-based sites. We use the following textbook content rule:
  content mysite-SSL
  vip address 10.0.0.1
  add service s01
  add service s02
  add service s03
  port 443
  protocol tcp
  advanced-balance ssl
  application ssl
  flow-timeout-multiplier 225
  active
  If I read the manual correctly, SSL L3 session IDs are going to be used till a flow is set up. Then the ssl-l4-fallback (it is enabled) directive kicks in and load balancing is done based on the source IP, destination port.
  However, my stats show:
  Sticky Statistics - SFM Slot 1, Subslot 1:
  Total number of new sticky entries is 4937735
  Total number of sticky table hits is 33476045
  Total number of sticky rejects (no entry) is 0
  Total number of sticky collision is 0
  Total number of available sticky entries is 0
  Total number of used sticky entries is 131071
  Total L3 sticky entries are 131
  Total L4 sticky entries are 0
  Total SSL sticky entries are 130940
  Total WAP sticky entries are 0
  Total number of SIPCID sticky entries is 0
  So, why don't I see anything in the L4 sticky entries?
  Also, I would expect that once the ssl-l4-fallback kicks in, a client will be always directed to the same server (since the CSS uses now source IP, dest port for load balancing). However, if I close and start again my browser I hit a different server.
  Your thoughts and suggestions are highly appreciated.
  John.

  Hi Gilles
  Thank you for your response. If I may ask the group for a final further clarification, so as to put this matter to rest. Since there are a lot of frames transmitted in either direction, I would expect the following to be happening and overriding the use of SSLv3 session IDs. Following is the section of the manual that seems to contradict what you say (and I see on the stats). Am I reading the manual wrong?
  "Cisco Content Services Switch
  Content Load-Balancing
  Configuration Guide
  Software Version 8.20
  November 2006
  page 11-14
  Configuring SSL-Layer 4 Fallback
  Insertion of the Layer 4 hash value into the sticky table occurs when more than
  three frames are transmitted in either direction (client-to-server, server-to-client)
  or if SSL version 2 is in use on the network. If either condition occurs, the CSS
  inserts the Layer 4 hash value into the sticky table, overriding the further use of
  the SSL version 3 session ID."

• Is it possible to deliver captured traffic (span) to a server in ESX (VMware)?

  Hi Guys,
  I have a request to capture traffic on the LAN and deliver it to a virtual server in a ESX VMware enviroment.
  Has anyone tried this?
  The topology is this:
  WAN--Gateway--LAN--6500s--portchannel---Server with ESX (virtual server)
  Data coming from the WAN entering the LAN on a specific port, needs to be captured, and sent to a specific virtual server.
  Do you think this is possible?
  Thanks.
  Adrian

  If you put the ESX servers VMNIC port as destination it should be possible. You need to configure SPAN in Vmware though to send it to specific virtual machine. See if this link helps:
  http://blogs.vmware.com/vsphere/2013/02/vsphere-5-1-vds-feature-enhancements-port-mirroring-part-3.html
  Daniel Dib
  CCIE #37149

• Capturing traffic in cisco devices.

  Hi all,
  Id like to ask how I can capture traffic
  in Cisco routers? Something like in Cisco PIX firewalls. It is very nice in Cisco PIXs when I can troubleshoot outgoing and incoming traffic throught some interface of PIX. With capture capability.
  Any idea?
  BR
  jl

  Try to use: debug ip packet command with access-list parameter. Be careful! Do not start just debug ip packet, it can be very difficult for your router.
  Example here: http://cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#debugtraffic

• SCE does not capture traffic snmp get-request

  Hi,
  We have SCE 2000 3.5.5.
  I have a problem to capture some snmp traffic.
  From a server To a router, our SCE captures traffic snmp "GET-NEXT-REQUEST". I can see these traffic in RDR (Transaction RDR and Subscriber RDR).
  but, From the same server To the same router, "GET-REQUEST" doesn't.
  I have checked these packets using sniffer software, and the difference of these is only "GET-NEXT-REQUEST" or "GET-REQUEST".
  What could cause this situation??
  Help me!

  Hi, Tom.
  I have controlled that the port is 161 and these packets go through the same SCE.
  I changed the service configuration as you said, but SCE didn't caputured the packets "snmp-get". I write the way that I have done.
       1.     Open "New Service Configuration"
       2.     Add 161 to "UDP ports for which flow should be opened on first packet"
       3.     "RDR Settings" - "Transaction Usage RDRs" - check "select ALL"
       4.     Apply a SCE device
       5.     command "Snmpget" from a pc
       6.     Control RDRs with tag "4042323000"  --> No record from the pc
       7.     mib-browser from the same pc
       8.     Control RDRs with tag "4042323000"  --> find the record from the pc
  I hope i can resolve it soon.

• Etherchannel to CSS 11506

  i'm looking at doing a etherchannel/channel group to CSS 11506 for greater bandwidth on the front of the CSS.. clinets>chan-group>vip>CSS >servers.
  has anyone else done this?
  reason i ask if this can be done is that the backup (ASR) CSS vir-peer shows as master(backup router) state. i didn't see any commands on css for etherchan, pagp or lacp

  HI,
  etherchannel is not supported on the CSS from my knowledge. Furthermore you should avoide any spanningtree issue on the CSS. If you need more throughput than 1 GIG think about splitting the VIPs so that one CSS is active for the first half of the VIPS and the otherone for the 2nd part. Be aware that the Gateway on both VIP-pars need to be active on the correct box.
  Kind Regards,
  Joerg

• CSS 11506 - Locked up but cannot find why

  I have had a CSS 11506 lock up with no access or activity. From the syslog logs I cannot see any error messages reporting a failure, just a hole. During the lockup I had no access to the equipment.
  Any suggestions on how to investigate the lock up ?
  Thank you in advance.
  Roger.

  Hi Roger,
  Based on the symptons I guess CSS did not save any core, can you double check.
  I would say that we have no enough evidence to say what caused the outage, actually I would need to see the showtech and look for some evidence but I can tell you for sure that your code needs to be upgraded.
  7.50 train is not getting new releases since new tains are 8.10 and 8.20 and also 7.50.103 is a early release on that train and many defects were addressed on newer codes, some of them related to crash and hung issues.
  Hope it helps!!

• CSS 11506

  I configured VIP on my CSS 11506. I created a content rule and a service, which will be used by the content rule. Both have been activated. However, when I do "show service summary", the new service created is not coming up, it's showing down. I removed the service and re-created it and still down. My VIP won't work if the service remains down. Please help if you experience this before. Thanks so much !!

  Collin,
  You are the man! I removed th keepalive by typing "keepalive type none" initially it was "keepalive type tcp" and now the service is up and I can get to my VIP. Thanks so much! I appreciated. How should I give you a credit ?

• Unable to capture traffic with Ethanalyzer on N5K-5548

  Version - 5.0(2)N2(1)
  My understanding is that we need
  1) Access-List defined, with statistics configured to get matched traffic onto control plane
  2) Access-List applied to an interface, via command "ip port access-group mycap in"
  3) ethanalyzer command, ex; "ethanalyzer local interface mgmt capture-filter "net 1.1.1.0/24" (also tried interfaces inbound-hi & inbound-low)
  I see matches on the access-list, but not seeing anything captured.
  What am I missing?
  ip access-list mycap
    statistics per-entry
    10 permit ip any 1.1.1.0/24
    20 permit ip 1.1.1.0/24 any
    30 permit ip any any

  just fyi.. on a similar sidenote we are going to enchance the capability of capture filter to collect the necessary statistics via the following enhancement
  CSCsz99277 - ethanalyzer capture filter broken
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz99277

• Capturing traffic...

  Can someone walk me through the process needed to build a signature or modify an existing signature to capture certain traffic? I am interesting in being able to view the contents of traffic triggering Instant Messaging and IRC related signatures, so either a method for capuring traffic triggered by the existing signatures, or creating a signature to capture any traffic on 5190 or 6667 for example, would be sufficient.
  This is a VMS server version 2.2 monitoring IDS 4.x sensors....
  thanks.

  If they access it via a VPN then your ASA will show the connection to their VPN device and not the connections within that SSL VPN  - those would all be encapsulated in the tunnel.
  If they were accessing the remote server directly (not via a VPN) then yes you would see the server address in your "show conn" output.
  I assume you use 10.10.10.1 as a made-up example as that private IP address would never be routed freely on the Internet - only within a private network or tunneled within a VPN.

• Capture Traffic - URGENT

  Hi,
  I have an Customized Portal application which needs voice/video/authentication traffic to pass from inside natted server to outside...
  Opening the required ports didnt help.
  If I remove the access-list for inside network it works....
  Can someonehelp to give the capture commands .... so that I could capture the traffic and get the required ports....
  Or some-other means to get the required ports.....
  Thanks

  Hi
  use this command
  capture capture_name [access-list acl_id][buffer bytes] [ethernet-type type][interface name] [packet-length bytes]
  to view
  show capture [capture_name] [access-list acl_id] [detail] [dump]
  For additional information check this link
  http://www.cisco.com/en/US/docs/security/pix/pix62/command/reference/c.html#wpxref65943
  HTH
  Raj

• CSS 11506 Help

  We just bought a 11506. I have a few questions
  - One requirement we have is that I need to direct https web requests to the CSS public IP and then have it redirect that web request over tcp 80 to one of our internal web servers.
  Do I need to purchase on SSL module for this ?
  Can someone direct me to the support link for the 11506. Looking for setup and support docs.
  Cheers
  Dave

  In order to do SSL offloading you need to buy SSL module CSS5-SSL-K9.
  You can find lots of CSS config examples
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_configuration_examples_list.html
  & Supporting documents at
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/tsd_products_support_series_home.html
  Syed Iftekhar Ahmed

• CSS 11506 running 08.20.2.01

  Can you tell me if this will work?
  keepalive type encrypt
  keepalive method get
  keepalive port xxxx
  Specifically, what can I do for a layer 5 KAL for HTTPS in a service? I hate to compare these things but I know on an F5 I can do an https get.
  These are 11506 running 08.20.2.01
  Thanks for anything you can advise,

  You can definitely setup the CSS to perform a URI keep-alive over HTTPS.
  keepalive type http encrypt
  However, in order for this configuration to work properly your CSS must contain the SSL module as the service will need to be setup as a "type ssl-accel-backend". This will allow the CSS to encrypt the keep-alive request and decrypt the servers response using the cert/keys defined within the backend-server configuration within the ssl-proxy-list.
  Does your CSS contain an SSL module?
  - Jason